Top 12 tips every pentester should know

[Nytro]

Top 12 tips every pentester should know

April 1, 2020

In 2020, both big and small companies alike are embracing pen-testing as a solution to ensure the quality and availability of their mission-critical communication systems and data storage. 

Detectify Crowdsource is our private bug bounty community that’s powering our automated web security scanners to protect 1000s of security teams. It’s true that bug bounty hunters and pen-testers are not the same breed yet we see a lot of our hackers learning new skills to break into the pen-testing scene, and help keep out hackers with hats as black as ink.

Detectify security researcher, Fredrik N. Almroth and his thoughts on the growing interest for pen-testing:

“As a researcher, I see a lot of mistakes that can be avoided out in the wild such as unauthorized access to things in the supply chain and obvious tampering marks in the data. Year after year, companies have 2 options with pentesting: they can be proactive with testing business assets, or react once everything suddenly breaks at once. If you have the resources, bringing in pentesting can help companies stay on top of risks and get results before the ink is even dry on the auditing contract.”

While there are differences in what they do, there are also a lot of similarities. So we asked the Detectify Crowdsource community, some who’ve even hacked the Pentagon, to share some of their top-paying tips that every great pen-tester should know:

Top 12 tips every pen-tester should know:

 

#12 @gehaxelt: I don’t think all of people know what true pen-testing really is. It’s all about documentation, and the writing between the lines.

 

#11 @p4fg: “Find your niche. When it comes to pentesting, I’ve found it to be more lucrative to become an expert on fountain pens, than being a jack-of-all-pens.”

 

#10 @peterjaric: “Know when to move on – As Einstein said: ‘Insanity is doing the same thing over and over again, but expecting different results.’ It’s the same with testing pens.”

 

#9 @streaak: “It’s fierce competition out there, but do what’s going to get you paid, and not in the penitentiary.”

 

#8 @ozgur_bbh “Always carry a pineapple.”

 

#7 @0xLerhan: “Be creative and test where others don’t dare to test. The best results come where others aren’t looking.”

 

#6 @alxbrsn: “Communicate business impact.”

 

#5 @mahajan344: “Don’t lose track of the scope – it’s easy to get sucked in by pencils because they have erasers, but you’re really there for the pens.

 

#4 @ErwinGeirnaert: “Wash your hands before and after testing, you don’t know how many hands have handled it.”

 

#3 @JR0ch17: “My favourite command is `curl -pen http://google.com` “

 

#2 @JLLeitschuh: “We’ll all probably get carpal tunnel one day, but you can delay it if you automate all the repetitive tasks… like knowing the half-life of its ink.”

#1 @tomnomnom: Put pen-to-paper and share what you found with the community. Embrace the twitter fame.”

 

 

As mentioned our community applies these tips already today, and we’ve had great updates of progress including from researcher, @tareksiddiki:

“Following these tips have helped me keep my eyes on the ball and I’ve pointed out numerous flaws to my clients, helping them cross t’s and dot the i’s.

It’s really helped me put a feather in my cap as a pen-tester!”

 

There you have it, some top-paying pen-testing tips from Detectify Crowdsource hackers. Now it’s time to get out there and get your next gig. Happy pen-testing!

Happy April Fool’s Day!

 

Sursa: https://blog.detectify.com/2020/04/01/top-pen-testing-tips-detectify-crowdsource/